The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update.
But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time.
Google’s security researchers, for example, give vendors just 90 days’ warning before publishing flaws they find. Microsoft Corp (MSFT.O) declined to say how long it usually takes to patch a flaw.
Hanson spent some months combining his find with other flaws to make it more deadly, he said on Twitter. The company often pays a modest bounty of a few thousands dollars for the identification of security risks.
The initial attacks were carefully aimed at a small number of targets and so stayed below the radar. But in March, security researchers at FireEye Inc (FEYE.O) noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.
[Source]
